locked
Which server process the password change? RRS feed

  • Question

  • Hi there,

    As far as I know when user's password gets reset on a DC (Domain Controller), the DC will replicate the changes to the DC that holds the PDC Emulator role right away.

    My questions are:
    1. When a user changes his own password (using the Ctrl+Alt+Del -> Change a password...), will his machine talk directly to the PDC Emulator?
    2. If so, what happens if the PDC Emulator is unavailable and the role haven't been seized (manually) by another DC, will password changes will be processed temporary by another active DC?

    Thanks!

    Friday, January 29, 2016 9:15 PM

Answers

  • The DC you are connected to changes the password in its copy of the AD database, then immediately forwards the change to the DC with the PDC Emulator role. If this DC is not available, the password change will still propogate by normal replication.

    However, if the user attempts to use the new password, and the DC the user is connected to believes the password is wrong, that DC will immediately forward the authentication request to the PDC Emulator for verification. So if normal replication has not yet passed the new password to all DC's, and the PDC Emulator is still not available, the user may not be able to authenticate with the new password. If the user makes enough attempts, they could get locked out.

    Edit: In the past I tested in my lab setup with the PDC Emulator unavailable. I found that when a user attempts to logon with a bad password the bad password count can be incremented by more than one for each bad password attempt when the PDC Emulator is down. The user can actually get locked out sooner than expected. However, I only tested with a bad password, one that did not match either the correct password, or one in password history. If the user attempts to logon with the previous password, the authentication attempt is still forwarded to the PDC Emulator, but the bad password count is not incremented, as long as the bad password is among the two most recent passwords in the history.


    Richard Mueller - MVP Enterprise Mobility (Directory Services)


    • Edited by Richard MuellerMVP Friday, January 29, 2016 10:29 PM
    • Proposed as answer by Mike Crowley Saturday, January 30, 2016 2:02 AM
    • Marked as answer by Alex'R Monday, February 1, 2016 7:39 PM
    • Unmarked as answer by Alex'R Monday, February 1, 2016 7:43 PM
    • Marked as answer by Alex'R Tuesday, February 2, 2016 2:02 PM
    Friday, January 29, 2016 10:23 PM
  • A process called domain controller locator is used to find a dc for authentication. These links explain how it works:

    https://technet.microsoft.com/en-us/library/cc961830.aspx

    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/11/domain-controller-locator-in-depth.aspx

    Only if the DC selected finds that the password is wrong (actually the hash of the password) is the authentication request forwarded to the PDC Emulator.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Alex'R Tuesday, February 2, 2016 2:02 PM
    Monday, February 1, 2016 8:46 PM

All replies

  • The DC you are connected to changes the password in its copy of the AD database, then immediately forwards the change to the DC with the PDC Emulator role. If this DC is not available, the password change will still propogate by normal replication.

    However, if the user attempts to use the new password, and the DC the user is connected to believes the password is wrong, that DC will immediately forward the authentication request to the PDC Emulator for verification. So if normal replication has not yet passed the new password to all DC's, and the PDC Emulator is still not available, the user may not be able to authenticate with the new password. If the user makes enough attempts, they could get locked out.

    Edit: In the past I tested in my lab setup with the PDC Emulator unavailable. I found that when a user attempts to logon with a bad password the bad password count can be incremented by more than one for each bad password attempt when the PDC Emulator is down. The user can actually get locked out sooner than expected. However, I only tested with a bad password, one that did not match either the correct password, or one in password history. If the user attempts to logon with the previous password, the authentication attempt is still forwarded to the PDC Emulator, but the bad password count is not incremented, as long as the bad password is among the two most recent passwords in the history.


    Richard Mueller - MVP Enterprise Mobility (Directory Services)


    • Edited by Richard MuellerMVP Friday, January 29, 2016 10:29 PM
    • Proposed as answer by Mike Crowley Saturday, January 30, 2016 2:02 AM
    • Marked as answer by Alex'R Monday, February 1, 2016 7:39 PM
    • Unmarked as answer by Alex'R Monday, February 1, 2016 7:43 PM
    • Marked as answer by Alex'R Tuesday, February 2, 2016 2:02 PM
    Friday, January 29, 2016 10:23 PM
  • Hi Alex,

    The unavailability of the PDC emulator has the following impact:

    1. the user sees a message similar to the following: “Unable to change password on this account. Please contact your system administrator.” When the domain user attempts a password change.
    2. In a mixed domain, the event logs of BDCs contain entries showing failed replication attempts.

    For more information, you could refer to the section of Primary Domain Controller (PDC) Emulator of the article below.

    How Operations Masters Work

    https://technet.microsoft.com/en-us/library/cc780487(v=ws.10).aspx#w2k3tr_adops_how_qomy

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 1, 2016 10:00 AM
  • Richard,

    Thank you for your in depth explanation, however, my first question was focusing on the way password changes being processed from the workstation's perspective. Is it being processed directly by the PDC DC or by randomly available DC.

    Thanks again!!

    Monday, February 1, 2016 7:58 PM
  • A process called domain controller locator is used to find a dc for authentication. These links explain how it works:

    https://technet.microsoft.com/en-us/library/cc961830.aspx

    http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/11/domain-controller-locator-in-depth.aspx

    Only if the DC selected finds that the password is wrong (actually the hash of the password) is the authentication request forwarded to the PDC Emulator.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Alex'R Tuesday, February 2, 2016 2:02 PM
    Monday, February 1, 2016 8:46 PM
  • Hi Richard,

    Thanks a lot for the links, very insightful!

    after reading it I realized that the one responsible for providing the "Closest" DC is the DNS server.

    In my case I need to make sure that an old DC won't participate and be offered in the DC Locator process.
    I'll end up playing with the priorities and weights to ensure this one stays out of it for the most part.

    Thanks again!! :)
    Alex

    Tuesday, February 2, 2016 2:14 PM